[dpdk-stable] patch 'mbuf: fix boundary check at dynamic field registration' has been queued to stable release 19.11.4

luca.boccassi at gmail.com luca.boccassi at gmail.com
Fri Jul 24 13:58:10 CEST 2020

Previous message: [dpdk-stable] patch 'bus/pci: fix VF memory access' has been queued to stable release 19.11.4
Next message: [dpdk-stable] patch 'mbuf: fix error code in dynamic field/flag registration' has been queued to stable release 19.11.4
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 19.11.4

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/26/20. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Thanks.

Luca Boccassi

---
>From f32952bfab8ea4160ce82e2c1b6262397fa635bd Mon Sep 17 00:00:00 2001
From: Xiaolong Ye <xiaolong.ye at intel.com>
Date: Sat, 13 Jun 2020 23:49:17 +0800
Subject: [PATCH] mbuf: fix boundary check at dynamic field registration

[ upstream commit f8eb26dda8bfc806ff71f65966dc17210686fc20 ]

We should make sure off + size < sizeof(struct rte_mbuf) to avoid
possible out-of-bounds access of free_space array, there is no issue
currently due to the low bits of free_flags (which is adjacent to
free_space) are always set to 0. But we shouldn't rely on it since it's
fragile and layout of struct mbuf_dyn_shm may be changed in the future.
This patch adds boundary check explicitly to avoid potential risk of
out-of-bounds access.

Fixes: 4958ca3a443a ("mbuf: support dynamic fields and flags")

Signed-off-by: Xiaolong Ye <xiaolong.ye at intel.com>
Acked-by: Olivier Matz <olivier.matz at 6wind.com>
---
 lib/librte_mbuf/rte_mbuf_dyn.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/librte_mbuf/rte_mbuf_dyn.c b/lib/librte_mbuf/rte_mbuf_dyn.c
index 953e3ec31..13d6da6d1 100644
--- a/lib/librte_mbuf/rte_mbuf_dyn.c
+++ b/lib/librte_mbuf/rte_mbuf_dyn.c
@@ -69,7 +69,8 @@ process_score(void)
 
 	for (off = 0; off < sizeof(struct rte_mbuf); off++) {
 		/* get the size of the free zone */
-		for (size = 0; shm->free_space[off + size]; size++)
+		for (size = 0; (off + size) < sizeof(struct rte_mbuf) &&
+			     shm->free_space[off + size]; size++)
 			;
 		if (size == 0)
 			continue;
-- 
2.20.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2020-07-24 12:53:50.613155067 +0100
+++ 0052-mbuf-fix-boundary-check-at-dynamic-field-registratio.patch	2020-07-24 12:53:48.275006236 +0100
@@ -1,8 +1,10 @@
-From f8eb26dda8bfc806ff71f65966dc17210686fc20 Mon Sep 17 00:00:00 2001
+From f32952bfab8ea4160ce82e2c1b6262397fa635bd Mon Sep 17 00:00:00 2001
 From: Xiaolong Ye <xiaolong.ye at intel.com>
 Date: Sat, 13 Jun 2020 23:49:17 +0800
 Subject: [PATCH] mbuf: fix boundary check at dynamic field registration
 
+[ upstream commit f8eb26dda8bfc806ff71f65966dc17210686fc20 ]
+
 We should make sure off + size < sizeof(struct rte_mbuf) to avoid
 possible out-of-bounds access of free_space array, there is no issue
 currently due to the low bits of free_flags (which is adjacent to
@@ -12,7 +14,6 @@
 out-of-bounds access.
 
 Fixes: 4958ca3a443a ("mbuf: support dynamic fields and flags")
-Cc: stable at dpdk.org
 
 Signed-off-by: Xiaolong Ye <xiaolong.ye at intel.com>
 Acked-by: Olivier Matz <olivier.matz at 6wind.com>

Previous message: [dpdk-stable] patch 'bus/pci: fix VF memory access' has been queued to stable release 19.11.4
Next message: [dpdk-stable] patch 'mbuf: fix error code in dynamic field/flag registration' has been queued to stable release 19.11.4
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list